Google Boots Prolific Facebook-Hijacking Apps From Play Store
Google has thrown nine malicious Android apps off its Play Store after they were found to be stealing users’ Facebook credentials.
The apps – which ranged from horoscopes to photo processing, fitness, and performance optimisation services, and between them were downloaded 5.8 million times – were fully functional and did work as advertised.
However, according to security firm Doctor Web, they also prompted users to sign into Facebook using a legitimate login screen into which they injected code that would hijack usernames and passwords.
“Analysis of the malicious programs showed that they all received settings for stealing logins and passwords of Facebook accounts. However, the attackers could have easily changed the trojans’ settings and commanded them to load the web page of another legitimate service.
“They could have even used a completely fake login form located on a phishing site. Thus, the trojans could have been used to steal logins and passwords from any service,” Doctor Web reported.
All nine apps – PIP Photo, Processing Photo, Rubbish Cleaner, Inwell Fitness, Horoscope Daily, App Lock Keep, Lockit Master, Horoscope Pi, and App Lock Manager – have been kicked off the Play Store, Ars Technica reports, and their developers banned.